一种基于主动学习的恶意代码检测方法

发布时间：2019-04-11 19:02

【摘要】：现有恶意代码的检测往往依赖于对足够数量样本的分析.然而新型恶意代码大量涌现,其出现之初,样本数量有限,现有方法无法迅速检测出新型恶意代码及其变种.在数据流依赖网络中分析进程访问行为异常度与相似度,引入了恶意代码检测估计风险,并提出一种通过最小化估计风险实现主动学习的恶意代码检测方法.该方法只需要很少比例的训练样本即可实现准确的恶意代码检测,比现有方法更适用于新型恶意代码检测.通过对真实的8 340个正常进程和7 257个恶意代码进程的实验分析,与传统基于统计分类器的检测方法相比,该方法明显地提升了恶意代码检测效果.即便在训练样本仅为总体样本数量1%的情况下,该方法也可以达到5.55%的错误率水平,比传统方法降低了36.5%.
[Abstract]:The detection of existing malicious code often relies on the analysis of a sufficient number of samples. However, a large number of new malicious code emerged, at the beginning of its appearance, the number of samples is limited, the existing methods can not quickly detect the new malicious code and its variants. This paper analyzes the anomaly and similarity of process access behavior in data flow dependent networks, introduces malicious code detection to estimate risk, and proposes a malicious code detection method to realize active learning by minimizing risk estimation. This method needs only a small proportion of training samples to achieve accurate malicious code detection, which is more suitable for new malicious code detection than the existing methods. Based on the experimental analysis of 8 340 normal processes and 7 257 malicious code processes, compared with the traditional statistical classifier-based detection method, the proposed method significantly improves the detection effect of malicious code. Even if the training sample is only 1% of the total number of samples, the method can reach the error rate of 5.55%, which is 36.5% lower than the traditional method.
【作者单位】：智能网络与网络安全教育部重点实验室(西安交通大学);
【基金】：国家自然科学基金(61175039,61221063,61375040) 陕西省国际合作重点项目(2013KW11) 中央高校基本科研业务费专项资金(2012jdhz08)~~
【分类号】：TP309

【参考文献】